[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Dave O <dso at mssystems dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NATed firewall + OPT1 subnet problems...
 Date:  Mon, 24 Nov 2003 22:49:35 +0100
On 24.11.2003, at 22:36, Dave O wrote:

> It works ok and I've got rules set up to block out the nasty stuff.

Instead of setting up rules to block the nasty stuff, you should rather 
make sure all your pass rules only pass stuff you want. Then the rest 
is blocked by default. Good firewall practices. ;)

> Making the following assumptions:
>
> WAN is  192.168.0.55
> LAN is  172.16.33.1
> OPT1 is 172.16.34.1

Assuming the subnet masks on LAN and OPT1 are /24, that's very well 
possible.

> Nothing from OPT1 should go out to the WAN.

As long as you don't set up any rule for the OPT1 interface, nothing 
will go out from OPT1 to anywhere.

> Ports 137-139 are allowed between OPT1 and LAN.

Easy! Just add a rule that permits traffic on interface OPT1, source 
OPT1 subnet, destination LAN subnet, on the ports you want to allow. If 
you still have the default rule on LAN (allow from LAN to any) in 
effect, then LAN hosts will be able to establish connections with OPT1 
hosts on any port (but not vice versa).

Don't forget that the rules only deal with the first packet of each 
connection. Once that is allowed by your ruleset, all packets belonging 
to the same connection (even in the other direction) are passed - no 
matter what your ruleset says!

> LAN is NATed.  I'm getting a bit confused in trying to set this up.  
> Since LAN is NATed - and after reading the ipfilter FAQ - should rules 
> on OPT1 be set up to allow from network 192.168.0.55 or 172.16.33.1.  
> IPFilter supposedly does NAT translation once a packet passes through 
> the interface.  THEN it does the rule handling.

Not quite. m0n0wall handles NAT on the WAN interface, but your LAN <-> 
OPT1 communication never passes through the WAN interface, so you don't 
have to worry about NAT at all there.

Guess I should write an explanation on how filter rules are handled in 
m0n0wall...

HTH,

Manuel